Bug 667326

Summary: '-s' option in sss_obfuscate command is a bit redundant.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: benl, dpal, grajaiya, jgalipea, kbanerje, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:42:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 579778    

Description Gowrishankar Rajaiyan 2011-01-05 09:20:45 UTC 
Description of problem:
'-s' option in sss_obfuscate command is a bit redundant and functions the same even without '-s' option.

Version-Release number of selected component (if applicable):
sssd-1.5.1-0.2010122318git375e3e4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure a native ldap domain as specified in "Additional info" section.
2. Execute "sss_obfuscate -d LDAP"
3. Enter password and press "CTRL-d".
  
Actual results:
Obfuscated password gets added to the domain.


Expected results:
Either the password should be a command line option for "sss_obfuscate" or '-s' should be used to read input from stdin. The current behaviour of reading password from stdin without '-s' makes this option a bit redundant. 

No password and without '-s' option should display the usage message.


Additional info:
[domain/LDAP]
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_default_bind_dn = uid=puser1,ou=People,dc=example,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 9
min_id = 1000
ldap_uri = ldaps://ldap.server.redhat.com:636
enumerate = True
ldap_schema = rfc2307
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
Comment 2 Stephen Gallagher 2011-01-05 12:00:25 UTC 
The -s option does seem redundant, yes. It should probably be removed. I don't think we want to pass the password at the commandline, though. That's vulnerable to process-monitoring programs to see what the password was.

This is why we have the -f/--file option to sss_obfuscate. It guarantees that the password isn't visible in the process table.

I think our approach here should be to drop the -s option and update the manpage to note that the password is read from stdin unless -f is specified.
Comment 3 Gowrishankar Rajaiyan 2011-01-05 17:39:27 UTC 
As per man sss_obfuscate,

<snip>
       -f,--file FILE
           Read the config file specified by the positional parameter.
           Default: /etc/sssd/sssd.conf
</snip>

This option just reads the specified config file.
Comment 4 Stephen Gallagher 2011-01-05 17:47:59 UTC 
Whoops, I misread that. So yeah, we just need to kill the -s option since it's useless.

My other comment about not passing it at the command-line stands, though.
Comment 6 Stephen Gallagher 2011-01-20 15:11:29 UTC 
Upstream ticket https://fedorahosted.org/sssd/ticket/768 has resolved this issue by changing the default behavior with no arguments passed. It will now perform an interactive request for the password. Thus, the -s input to read from stdin now makes sense.
Comment 9 Gowrishankar Rajaiyan 2011-03-21 06:38:01 UTC 
sss_obfuscate command does not read the password from stdin without '-s', as expected. 


#  rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 14.el6                        Build Date: Wed 09 Mar 2011 02:30:12 PM EST
Install Date: Mon 21 Mar 2011 01:14:19 AM EDT      Build Host: x86-009.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-14.el6.src.rpm
Size        : 3418526                          License: GPLv3+
Signature   : RSA/8, Thu 10 Mar 2011 11:27:42 AM EST, Key ID 938a80caf21541eb
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 10 errata-xmlrpc 2011-05-19 11:42:07 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 11 errata-xmlrpc 2011-05-19 13:09:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html